Logstash parse data within square brackets

Question

I am trying to parse the following log-data:

[2016-Nov-12 13:15:17] [prog.HELP]: Some sample text, that causes some troubles. Please use module.html. Watch: https://wiki.buybite.org/display/FOP/Dash+mash+dust [] []

When I try to parse, I cannot parse inside square brackets. I've used this script:

%{YEAR}-%{MONTH}-%{MONTHDAY} %{HOUR}:?%{MINUTE}:%{SECOND} %\[{WORD}\]

But it didn't help at all. I have tried to check it on https://grokdebug.herokuapp.com/

Please check your data, `2016-Noc-12` contains `Noc`, month name, is it true? — Ryszard Czech, Dec 16 '20 at 23:12

score 0 · Answer 1 · answered Dec 17 '20 at 21:37

The expression did not work because there is a ] square bracket after seconds.

Your %\[{WORD}\] pattern is wrong, it matches %[{WORD}], as % cannot be torn away from the pattern name. You can use %{DATA} to obtain the contents between two brackets.

Use

%{YEAR}-%{MONTH}-%{MONTHDAY} %{HOUR}:?%{MINUTE}:%{SECOND}\] \[%{DATA}\]

Logstash parse data within square brackets

1 Answers1